Malware spam: "Payment Receipt" / "donotreply@dart-charge.co.uk"

The samples I saw had no body text and an attachment PaymentReceipt.xml [VT 5/55] which is an XML file [pastebin] with a Base64 encoded section which magically transforms into a malicious Word macro.

This macro downloads a malicious binary from:

http://puerta.fr/sandra/write.exe

Other versions of the attachment may download the same binary from different locations. This is saved as %TEMP%\mikapolne.exe and has a VirusTotal detection rate of 26/55. Automated analysis [1][2][3] shows it communicating with:

Is this really a coincidence? We live in Scotland, but were on a rare visit to Kent, using the Dartford Tunnel for the first time in many years, paying the full charge over the phone within 24 hours, in early June. Received a penalty notice by post several weeks ago claiming £5 was still due for a one way travel, although this had in fact already been paid. We sent off a letter immediately replying on the given form, enclosing proof of payment from bank etc. along with details of the phone call made at the time pf payment. We felt then that a member of staff was possibly skimming money from the Dart Charge. Then funnily enough, we receive today the 'receipt' as a .xml file attachment. Fortunately we have a Mac and also anti-virus protection, so no harm done. However I feel this perhaps should be looked into by the Gov system!

@Muchyt22.. this has been spammed out very widely, targeting UK email addresses. Tens of thousands of people use the crossing every day, so the spammers are hoping that they will be more likely to click through. These spam runs happen most days and pretend to be from a variety of sources, including water cooler companies and carpet shops.

I'm interested that the genuine attachment was an XML file. It appears that the spammers use REAL emails from hacked accounts to base these spam messages on. That makes them look very convincing indeed!

This is interesting. I have received this particular "receipt" e-mail with virus attached and I do not live in the UK, but I do have clients in the UK. Am not very computer savvy, but if you look at the header of the e-mail - pasted in below - and the Whois query, also pasted in below, could it actually have come from Poland?